1. Technical Field
The embodiments herein relate to a system and method for scanning of web applications, and more particularly, a system and method to perform a web application security testing based on a hybrid pipeline approach.
2. Description of the Related Art
Web application security testing is primarily performed by signature based automated scanners and human security testers (commonly referred as security consultants). Automated scanners produce a lot of False Positives in terms of detecting security bugs or vulnerabilities. Moreover, automated scanners are also not capable to detect logical security bugs or vulnerabilities. On the other hand, Human Security Testers have less of False Positives and are capable to detect logical security vulnerabilities. However, Human Security Testers are costly and less scalable. Human Security Testers are also less consistent primarily because it is the human testers who choose the test cases and not that the test cases choose the testers.
The automated application security scanners utilize signature-based database to inject faults in an application and match the responses with the signatures to detect vulnerabilities or security flaws in the application. Semi-automated security testing is carried out by penetration testers using various automated scanners and tools, automated scanners perform scanning and penetration testers apply human intelligence and experience to detect more advance vulnerabilities. However, there are still some fundamental challenges in the web application security field that need to be resolved.
One of the challenges in web application security is vulnerability verification to remove false positives and to perform actual exploitation. The automated tools and scanners detect vulnerabilities in the web application based on their signature database. However, vulnerabilities reported by automated scanners generally have false positives. A false positive means that a feature of the web application, which is not security vulnerability, gets classified as vulnerability. Further, vulnerabilities reported by automated scanners generally require further analysis such as how to exploit the vulnerability to find the actual security impact of vulnerability in the context of customer network.
Second challenge in the web application security is that there are certain classes of vulnerabilities in web applications that require logical understanding of the web applications for detecting such vulnerabilities. Some of the examples of such vulnerabilities are business logic vulnerabilities, data validation vulnerabilities, authorization related vulnerabilities and many others. In order to find such vulnerabilities, human security testers need to understand the architecture, implementation technology, security mechanisms, use cases and data flow of the web application. As a result, human security testers need to continuously engage as part of application scanning to detect such classes of logical vulnerabilities.
Scaling a high quality security testing to thousands and millions of web applications is another fundamental challenge of security industry today. Automated scanning is scalable by including additional computational power. However, automated scanning generates a lot of false positives and lacks logical vulnerability testing capability. On the other hand, semi-automated security testing approach is not scalable because of various reasons including the fact that human security testers are costlier and time intensive to train. Consistency of quality security results is another concern where semi-automated security testing approach depends substantially on the expertise of the human security testers. Same web application scanned by two different human security testers may produce different results. The primary reason for this is because human security testers choose the test cases and not the other way round. As a result, two different testers may choose or think different test cases for the same web application.
Accordingly, there remains a need for an efficient method for security scanning of web applications to achieve better quality measured in terms of less false positives, detection of logical vulnerabilities and test classes coverage, consistency of results, and at the same time reduces cost to perform penetration testing.